From 4bb7942e1762a658ec0b2d60fa337528153e6255 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Thu, 3 Oct 2013 14:06:08 -0700 Subject: [PATCH 1/5] Apply Thomas D's Shorewall-init installer patch. Signed-off-by: Tom Eastep --- Shorewall-init/install.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Shorewall-init/install.sh b/Shorewall-init/install.sh index 6027c4594..97a6a666d 100755 --- a/Shorewall-init/install.sh +++ b/Shorewall-init/install.sh @@ -385,7 +385,7 @@ else mkdir -p ${DESTDIR}${SYSCONFDIR}/network/if-down.d elif [ $HOST = gentoo ]; then # Gentoo does not support if-{up,down}.d - return + /bin/true else mkdir -p ${DESTDIR}/etc/NetworkManager/dispatcher.d fi @@ -467,7 +467,7 @@ if [ -z "$DESTDIR" ]; then elif [ $HOST = gentoo ]; then # On Gentoo, a service must be enabled manually by the user, # not by the installer - return + /bin/true else if [ -n "$SYSTEMD" ]; then if systemctl enable shorewall-init.service; then From 3c9d984835b602f17e6748c5a920e06893e0dd0f Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Tue, 8 Oct 2013 06:56:16 -0700 Subject: [PATCH 2/5] Correct typo - list_split s/b split_list Signed-off-by: Tom Eastep --- Shorewall/Perl/Shorewall/Chains.pm | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Shorewall/Perl/Shorewall/Chains.pm b/Shorewall/Perl/Shorewall/Chains.pm index 44ac205f7..daa0ec528 100644 --- a/Shorewall/Perl/Shorewall/Chains.pm +++ b/Shorewall/Perl/Shorewall/Chains.pm @@ -4474,7 +4474,7 @@ sub do_proto( $$$;$ ) fatal_error "An inverted ICMP list may only contain a single type" if $invert; fatal_error "An ICMP type list is not allowed in this context" if $restricted; $types = ''; - for my $type ( list_split( $ports, 'ICMP type list' ) ) { + for my $type ( split_list( $ports, 'ICMP type list' ) ) { $types = $types ? join( ',', $types, validate_icmp6( $type ) ) : $type; } } else { From b6d7e9ea967d213b12286d01f7300e6fbd8d0b68 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Tue, 8 Oct 2013 07:13:01 -0700 Subject: [PATCH 3/5] Work around emacs bug Signed-off-by: Tom Eastep --- Shorewall/Perl/Shorewall/Chains.pm | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Shorewall/Perl/Shorewall/Chains.pm b/Shorewall/Perl/Shorewall/Chains.pm index daa0ec528..2ffb66278 100644 --- a/Shorewall/Perl/Shorewall/Chains.pm +++ b/Shorewall/Perl/Shorewall/Chains.pm @@ -5006,7 +5006,7 @@ sub decode_tos( $$ ) { my $mask = have_capability( 'NEW_TOS_MATCH' ) ? 0xff : ''; my $value; - if ( $tos =~ m"^(.+)/(.+)$" ) { + if ( $tos =~ m|^(.+)/(.+)$| ) { require_capability 'NEW_TOS_MATCH', 'A mask', 's'; $value = numeric_value $1; $mask = numeric_value $2; From fa500b9ea2224f508148f9e057e46a13304889b2 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Tue, 8 Oct 2013 09:20:46 -0700 Subject: [PATCH 4/5] Correct H323 and netbios-ns handling. Signed-off-by: Tom Eastep --- Shorewall/Perl/Shorewall/Config.pm | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/Shorewall/Perl/Shorewall/Config.pm b/Shorewall/Perl/Shorewall/Config.pm index 76206ab9d..629711c20 100644 --- a/Shorewall/Perl/Shorewall/Config.pm +++ b/Shorewall/Perl/Shorewall/Config.pm @@ -4014,7 +4014,14 @@ sub Helper_Match() { sub have_helper( $$$ ) { my ( $helper, $proto, $port ) = @_; - if ( $helpers_enabled{$helper} ) { + my $helper_base = $helper; + + $helper_base =~ s/-\d$//; + $helper_base = $helpers_map{$helper_base}; + $helper_base =~ s/_HELPER//; + $helper_base =~ s/_/-/; + + if ( $helpers_enabled{lc $helper_base} ) { if ( have_capability 'CT_TARGET' ) { qt1( "$iptables $iptablesw -t raw -A $sillyname -p $proto --dport $port -j CT --helper $helper" ); } else { From 5e67808abd4a3651fd949d7ac566875bbfabc7a2 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Tue, 8 Oct 2013 11:27:41 -0700 Subject: [PATCH 5/5] Don't add host route in default table. Signed-off-by: Tom Eastep --- Shorewall/Perl/Shorewall/Providers.pm | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Shorewall/Perl/Shorewall/Providers.pm b/Shorewall/Perl/Shorewall/Providers.pm index 5c1987544..1d89b88dd 100644 --- a/Shorewall/Perl/Shorewall/Providers.pm +++ b/Shorewall/Perl/Shorewall/Providers.pm @@ -810,7 +810,7 @@ CEOF emit "run_ip route replace $gateway src $address dev $physical ${mtu}"; emit "run_ip route replace $gateway src $address dev $physical ${mtu}table $id $realm"; } else { - emit "qt \$IP -6 route add $gateway src $address dev $physical ${mtu}" if $hostroute; + emit "qt \$IP -6 route add $gateway src $address dev $physical ${mtu}"; emit "qt \$IP -6 route del $gateway src $address dev $physical ${mtu}table $id $realm"; emit "run_ip route add $gateway src $address dev $physical ${mtu}table $id $realm"; } @@ -828,7 +828,7 @@ CEOF emit ''; if ( $gateway ) { if ( $family == F_IPV4 ) { - emit qq(run_ip route replace $gateway/32 dev $physical table $id); + emit qq(run_ip route replace $gateway/32 dev $physical table $id) if $hostroute; emit qq(run_ip route add default via $gateway src $address dev $physical table $id metric $number); } else { emit qq(qt \$IP -6 route del default via $gateway src $address dev $physical table $id metric $number);